Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
23 October, 2021
Also known as
Arkei
Global rank
16
Week rank
7
Month rank
5
IOCs
16359

What is Vidar / Arkei malware?

Vidar is an information stealer Trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems, take screenshots, steal cryptocurrency, and more.

General description of Vidar malware

Vidar is presumed to have originated in a Russian-speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another cyber threat that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

According to the Vidar analysis, malware is written in the C++ programming language. Purchasing account grants the attacker access to a control panel where the cybercriminal can set up the malware to target particular information on the victims’ PC. Like Arkei, cybercriminals need to take precautions to secure the main payload themselves, using crypto or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that Vidar uses domain names to search for C&C servers, where stolen data is being dropped, change every four days. Though they are steadily changing, a constant response is required.

Arkei is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information, including banking and credit card details. Based on the Vidar analysis, the malware can search for cryptocurrency wallet information, take screenshots and record private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar and perform Vidar analysis by themselves.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

According to the Vidar analysis, after the user downloads and runs a malicious file, it spawns a child process and collects information from the infected system. Often, after the information was collected, the malware kills and deletes itself from the system through a command-line command.

How to avoid infection by Vidar malware?

When spread via spam email campaigns, the Vidar stealer requires the user to download and run a malicious file to enter an active state and begin execution. Therefore, following some basic cybersecurity rules can ensure that users will stay safe from this malware and the incident response team will work effectively.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar, which uses these attack vectors to infect victims.

The distribution process of Vidar

According to the Vidar analysis, Arkei is distributed through spam email campaigns as a malicious attachment, like other malware. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar targets users all over the world, except some ex-USSR countries, including Russia.

How to detect Vidar using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering" during your Vidar analysis. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a hazardous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including steal select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures and incident response.

IOCs

IP addresses
208.95.112.1
141.8.192.151
88.99.66.31
65.108.80.190
204.11.56.48
141.8.193.236
23.202.231.167
156.38.171.144
143.204.215.24
23.202.231.167
52.60.87.163
2.56.59.211
104.21.42.203
104.21.47.28
185.215.113.77
172.67.190.151
43.225.55.117
18.221.195.49
162.210.199.87
185.50.25.50
Hashes
024b3508e9c9013bc2c8f6f6b81441677cbedabad91ec6c545ef6deee6799eb8
76b7e0265f5fd3d3fead08df85a41d4fac0ab5bd881f9c44dca6987e69c9b63c
bbe27a62666ae36bb4d780d5316595a2e25a96c09954a0357ac78df4d0686590
c58e74a9b927060dfe1b9ae4add1fdd05762b474280558c1865b123d05732d4b
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9
18dfa32d0c10dc3177f1b76b3e714323832007443ac11fb3d09ec4a3bf3062ce
44140075fcb7537ae8668b23fb5dec8b84bcc70fcfbfea6091a5ed43ab4fa3da
3491ad7b9cbef930ff47469492b50c93279c11ea3a49c32a8e3cc44bb72f3fc3
2bbe52675249cbd5ab976f7adbd7ed7001008994896eb617ff6ef0949c1681d1
165ca93b46d41f4fee59fa9b7a4df98c2c0bc214fdced954c4ad2b1ae9dadb9e
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601
accb11ccb1692a5e771981a5659d68c8adc3e225f476ca3387b57d818381ed1b
4d47791970c9e4b829ef0cc0049eecdfae3655f87a1e79620bbcc39eb8c21c8b
0cd3b017277ea6756cb9d0589fdab224ccee5d8421b8e3ca45cfdf7687956c3f
c40c62b978908e0f5112eee4ae7370fb9c4cc1ed7c90a171be89f6fd8c10b376
3f1077f53a377442e855cc9dac032f800fdaccdeccda9645ba8064c9a1477372
d97ab0d3cf2de0f7500c5f70ffdab17466cc23cda5a88aa00a7fa2d206b4d600
86311b44268fdc12514eaf5c034b363729ee8aad18d7ec868881b16b9b1eeb13
78a5b33cbb422ef637c8db7d4c3e21ab0f53e71d2a2ed0377359c295f44d7e2f
7c2143421354c1c802d535b8820f0329d42765076e7cf9eb827ac4e64de1deec
Domains
f0574407.xsph.ru
f0575496.xsph.ru
f0575491.xsph.ru
www.f0574438.xsph.ru
f0570079.xsph.ru
www.f0566304.xsph.ru
f0567879.xsph.ru
f0564052.xsph.ru
f0568188.xsph.ru
f0542175.xsph.ru
f0565245.xsph.ru
f0566812.xsph.ru
f0567037.xsph.ru
f0560601.xsph.ru
f0565542.xsph.ru
f0563546.xsph.ru
f0513955.xsph.ru
f0558532.xsph.ru
f0563419.xsph.ru
www.f0557983.xsph.ru

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More